CVE-2018-17552
published 2018-10-03CVE-2018-17552: SQL Injection in login.php in Naviwebs Navigate CMS 2.8 allows remote attackers to bypass authentication via the navigate-user cookie.
PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
84.06%
99.7th percentile
SQL Injection in login.php in Naviwebs Navigate CMS 2.8 allows remote attackers to bypass authentication via the navigate-user cookie.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| naviwebs | navigate_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SQL injection authentication bypass via the 'navigate-user' cookie containing SQL payload (e.g., OR TRUE -- ) in requests to login.php ↗
- →Monitor POST requests to /navigate_upload.php with query parameters 'session_id', 'engine=picnik', and 'id' containing path traversal sequences (e.g., '../../../') — indicates exploitation of CVE-2018-17553 chained with the auth bypass ↗
- →A successful auth bypass results in an HTTP 302 redirect response from login.php and sets a session cookie prefixed with 'NVSID_'; monitor for this pattern following requests with a malicious navigate-user cookie ↗
- →Detect multipart/form-data file uploads to /navigate_upload.php where the uploaded file has a JPEG content-type but contains PHP code — indicative of webshell upload ↗
- →Alert on GET requests to /navigate/navigate_info.php immediately following a suspicious upload to /navigate_upload.php — this is the payload trigger step in the exploit chain ↗
- ·The exploit shuffles GET parameters on the upload request to evade order-dependent signature detection; detection rules must not rely on fixed parameter ordering for /navigate_upload.php ↗
- ·The uploaded PHP payload filename is randomly generated (10–15 alphanumeric characters) per exploit run; filename-based detection is not reliable and content-based inspection is required ↗
- ·The exploit overwrites navigate_info.php with the payload and attempts to restore it to empty after session establishment; forensic artifacts on disk may be transient ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Navigate CMS - (Unauthenticated) Remote Code Execution (Metasploit)
exploitdb·2018-10-08
CVE-2018-17553 Navigate CMS - (Unauthenticated) Remote Code Execution (Metasploit)
Navigate CMS - (Unauthenticated) Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Navigate CMS Unauthenticated Remote Code Execution',
'Description' => %q(
This module exploits insufficient sanitization in the database::protect
method, of Navigate CMS versions 2.8 and prior, to bypass authentication.
The module then uses a path traversal vulnerability in navigate_upload.php
that allows authenticated users to upload PHP files to arbitrary locations.
Together these vulnerabilities allow an unauthenticated attacker to
execute arbitrary PHP code remotely.
This module was tested against Navigate CMS 2.8.
),
'Author' =>
[
'Pyriphlegethon' #
Metasploit
Navigate CMS Unauthenticated Remote Code Execution
metasploit
Navigate CMS Unauthenticated Remote Code Execution
Navigate CMS Unauthenticated Remote Code Execution
This module exploits insufficient sanitization in the database::protect method, of Navigate CMS versions 2.8 and prior, to bypass authentication. The module then uses a path traversal vulnerability in navigate_upload.php that allows authenticated users to upload PHP files to arbitrary locations. Together these vulnerabilities allow an unauthenticated attacker to execute arbitrary PHP code remotely. This module was tested against Navigate CMS 2.8.
No writeups or analysis indexed.
https://github.com/NavigateCMS/Navigate-CMS/commit/6df73ccca64253a5e81c23356943fae50ffc836fhttps://github.com/rapid7/metasploit-framework/pull/10704https://www.exploit-db.com/exploits/45561/https://github.com/NavigateCMS/Navigate-CMS/commit/6df73ccca64253a5e81c23356943fae50ffc836fhttps://github.com/rapid7/metasploit-framework/pull/10704https://www.exploit-db.com/exploits/45561/
2018-10-03
Published